1 |
On Friday 24 March 2006 05:38 am, Paul Kölle wrote: |
2 |
> 王 鹏辉 wrote: |
3 |
> > Hello, list, |
4 |
> > |
5 |
> > Recently, i found that my emails server has sent out mess spam emails by |
6 |
> > some strange account from xxx@×××××.com. I run chkrootkit then found that |
7 |
> > |
8 |
> > bindshell INFECTED (PORTS: 465) |
9 |
> |
10 |
> Me too. AFAIK it's a false positive. This is stated in a chkrootkit FAQ |
11 |
> whose URL slipped out of my memory but I found it by google. |
12 |
|
13 |
I can verify this as it has been a false positive for me in the past. I would |
14 |
highly recommend, before passing it off as a false positive, check to see |
15 |
what is listening on this port. I've heard that Exim uses this, and |
16 |
PortSentry does as well. "netstat -nap --ip" should show it. Also, you may |
17 |
use "lsof | grep TCP". |
18 |
|
19 |
If you find a suspect file, script, or program, (or if you suspect your |
20 |
'netstat' and 'lsof' binaries contain rootkits) try running: |
21 |
equery belongs <path to file> |
22 |
This should tell you to which package it belongs. Then to verify that it is |
23 |
the same file that was installed, you can try: |
24 |
equery check <package that was listed above> |
25 |
|
26 |
Since you are having spam issues, I would recommend looking into seeing if |
27 |
your mail server is an open relay. Here are a few ways to test this: |
28 |
http://www.spamhelp.org/shopenrelay/ |
29 |
http://www.abuse.net/relay.html |
30 |
|
31 |
This one has a list of links pertaining to ways you can test for open relay: |
32 |
http://www.linux-sec.net/Mail/OpenRelay/ |
33 |
|
34 |
|
35 |
Hope this helps! |
36 |
|
37 |
|
38 |
Robert Larson |
39 |
|
40 |
-- |
41 |
gentoo-server@g.o mailing list |